b'                      SPECTO\n                 IN            R\n             F                     G\n         O                             E\n     E\n\n\n\n\n                                       N\n     C\n\n\n\n\n                                           E\nFI\n\n\n\n\n                                           RA\nOF\n\n\n\n\n                                               L\n                                                   OFFICE OF INSPECTOR GENERAL\n                                                       EXPORT-IMPORT BANK\n                                                        of the UNITED STATES\n\n\n\n\n                      Fiscal Year 2013\n                    Financial Statement\n                  Audit- Management Letter\n\n\n\n\n                                                                     March 21,2014\n\n\n                                                                      OIG-AR-14-04\n\n\n\x0cTo:          David Sena, Senior Vice President and Chief Financial Officer\n             Fernanda Young, Chief Information Officer\n\nFrom:\t\t      Arturo Cornejo AC\n             Assistant Inspector General for Audits (Acting)\n\nSubject:\t\t   Fiscal Year 2013 Financial Statement Audit - Final Management Letter\n             OIG-AR-14-04\n\nDate:\t\t      March 21, 2014\n\n\nThis memorandum transmits Deloitte and Touche LLP\xe2\x80\x99s Management Letter of the\nExport-Import Bank of the United States (Ex-Im Bank) financial statements for fiscal\nyear ended 2013. Under a contract monitored by this office, we engaged the\nindependent public accounting firm of Deloitte and Touche to perform the audit.\nThe contract required the audit to be done in accordance with: United States\ngenerally accepted government auditing standards; Office of Management and\nBudget audit guidance; and the Government Accountability Office/President\xe2\x80\x99s\nCouncil on Integrity and Efficiency Financial Audit Manual.\n\nDeloitte and Touche identified deficiencies related to the Ex-Im Bank\xe2\x80\x99s internal\ncontrol over financial reporting and other matters that needed your attention. The\nobservations, recommendations, and your responses regarding such matters are\npresented in the Attachment.\n\nDeloitte and Touche is responsible for the attached management letter dated March\n19, 2014 and the conclusions expressed in the letter. We do not express opinions on\nEx-Im Bank\xe2\x80\x99s financial statements or internal control or conclusions on compliance\nwith laws and regulations.\n\nWe appreciate the cooperation and courtesies provided to Deloitte and Touche and\nthis office during the audit. If you have questions, please contact Julie Wong,\n(202) 565-3920 Julie.Wong@exim.gov, or me at (202) 565-3499\nArturo.Cornejo@exim.gov. You can obtain additional information about the Export-\nImport Bank Office of Inspector General and the Inspector General Act of 1978 at\nwww.exim.gov/oig.\n\n\n\n\n                   811 Vermont Avenue, NW Washington, D.C. 20571\n\x0c                                                                           2\n\n\ncc:   Fred Hochberg, Chairman and President\n      C.J. Hall, Executive Vice President and Chief Risk Officer\n      Michael Cushing, Senior Vice President and Chief Operating Officer\n      Audit Committee\n      Nathalie Herman, Treasurer, Office of the Chief Financial Officer\n      Patricia Wolf, Controller, Office of the Chief Financial Office\n      John Lowry, Director, Information Technology Security and Systems\n              Assurance\n\n\n      Inci Tonguch-Murray, Business Compliance Officer\n\n\n      Duncan Barks, Partner, Deloitte and Touche LLP\n\n\n\n\n\n\n                 811 Vermont Avenue, NW Washington, D.C. 20571\n\x0cDeloitte.                                                                                Deloitte & Touche LLP\n                                                                                         1750 Tysons Blvd.\n                                                                                         Mclean, VA 22 102-4219\n                                                                                          USA\n                                                                                         Tel:+1 703 251 1000\n                                                                                         Fax: + 1 703 251 3400\n                                                                                         www.deloitte.com\nMarch 19, 2014\n\n\nManagement of the Exp01i-Imp01i Bank of the United States\n811 V ennont A venue NW\nWashington, D.C. 20571\n\nDear Members of Management:\n\nIn planning and performing our audit of the financial statements of the Export-Imp01i Bank of the United\nStates ("Ex-Im Bank") as of and forthe year ended September 30, 2013 (on which we have issued our\nrep01i dated December 12, 2013), in accordance with auditing standards generally accepted in the United\nStates of America, the standards applicable to the financial audits contained in the Government Auditing\nStandards, issued by the Comptroller General of the United States, and Office of Management and the\nBudget Bulletin No. 14-02, Audit Requirements for Federal Financial Statements, as amended, we\nconsidered the Ex-Im Bank\'s internal control over financial reporting as a basis for designing audit\nprocedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on\nthe effectiveness of the Ex-Im Bank\'s internal control over financial reporting. Accordingly, we do not\nexpress an opinion on the effectiveness of the Ex-Im Bank\'s internal control over financial reporting. This\nreport is based on our knowledge as of the date of our report on the financial statements, obtained in\nperfonning our audit thereof, and should be read with that understanding.\n\nOur consideration of internal control over financial reporting was for the limited purpose described in the\npreceding paragraph and was not designed to identify all deficiencies in internal control over financial\nreporting. However, in connection with our audit, we identified, and included in the attached Appendix A,\ndeficiencies related to the Ex-Im Bank\'s internal control over financial reporting and other matters as of\nSeptember 30, 2013, that we wish to bring to your attention.\nBased on our audit work, we believe management adequately addressed the deficiencies reported in our\nfiscal year (FY) 2012 management letter (see AppendixB).\nThe definition of a deficiency is also set forth in the attached Appendix A.\nAlthough we have included management\'s written response to our comments in Section I, such responses\nhave not been subjected to the auditing procedures applied in our audit of the financial statements and,\naccordingly, we do not express an opinion or provide any form of assurance on the appropriateness of the\nresponses or the effectiveness of any corrective actions described therein.\nThis report is intended solely for the information and use of management, the Audit Committee, the\nInspector General, and others within the organization and is not intended to be, and should not be, used by\nanyone other than these specified parties.\nYours truly,\n\n\n\n\ncc: The Inspector General of the Export-Imp01i Bank of the United States and the Audit Committee of the\n    Expo ti-Import Bank of the United States\n\n\n\n                                                                                         Member of\n                                                                                         Deloitte Touche Tohmatsu Limited\n\x0c                                                                                               APPENDIX A \n\n\nSECTION I -      DEFICIENCIES\n\nWe identified, and have included below, deficiencies involving the Ex-Im Bank\'s internal control over\nfinancial repo11ing for the period from October 1, 2012 through September 30, 2013 that we wish to bring\nto your attention.\n\nIncorrect Maturity Dates of Working Capital Guarantee Transactions\n\nCondition:\n\nEx-Im Bank identified that maturity dates for some of the working capital guarantee transactions\nauthorized during FY 2012 and 2013 were inaccurate. We identified 122 working capital guarantee\ntransactions authorized during FY 2012 as inaccurate. For FY 2013 transactions, management made\nconections prior to audit testing. We found no exceptions for FY 2013 transactions after corrections made\nby management.\n\nCriteria:\n\nThe maturity dates of working capital guarantee transactions should be correctly reflected on the Ex-Im\nBank\' s portfolio. Additionally, sufficient controls should be in place to timely detect errors identified in\nthe entry of such information.\n\nCause:\n\nDue to inappropriate supervision and review, a staff member had been entering the maturity dates for new\nworking capital guarantees into the Loans and Guarantees Accounting System (LGA) incorrectly. The\nstaff entered the maturity date based on six months after the authorization date instead of six months after\nthe final disbursement date or expiration date.\n\nEffect or Potential Effect:\n\nThe incorrect working capital guarantee maturity dates resulted in exclusions of some working capital\nguarantees from Ex-Im Bank\'s 2012 potifolio. This resulted in an understatement of 2012 working capital\nguarantees exposure and the allowance for working capital guarantees of approximately $495 million\n(0.5% of the FY 2012 total portfolio exposure) and $2.9 million (0.2% of FY 2012 loan guarantee\nliability), respectively. Ex-Im Bank did not correct the 2012 financial statements as they were considered\nto be immaterial by Ex-Im Bank. We concurred with Ex-Im Bank\'s conclusion not to correct 2012\nexposure. The maturity dates for transactions authorized during FY 2013 were corrected as of\nSeptember 30, 2013 .\n\nRecommendation:\n\nWe recommend Ex-Im Bank enhances the review process of the working capital guarantee information\nentered by staff members. Additionally, management should communicate accounting policy and\nprocedures regarding working capital transactions to staff members. Specifically, by creating a desk\nprocedure that would effectively communicate policy and procedures to new staff members.\n\n\n\n\n                                                     -2\xc2\xad\n\x0cManagement Response:\n\nManagement agrees with the recommendation. Additional training on accounting policies and bank\nprocedures has been provided to staff members by depaiiment supervisors, before and after the error\noccmTed. Management will maintain a focus of improving efficiency in the review process and in the\nstandard operating procedure to ensure consistency and accuracy. Management will continue to\ncommunicate and update staff on any changes in the accounting policy and procedures should they\nchange in the future.\n\nIncorrect Late Interest Calculation\n\nCondition:\n\nWe identified that the late interest was incorrectly calculated due to inaccurate invoice received dates,\nlack of time stamp on invoices received, and inconsistencies in selecting appropriate invoice received\ndates in the event that a proper time stamp was missing.\n\nCriteria:\n\nThe late interest for vendor invoices should be calculated as instructed by the Prompt Payments Act (5\nCFR Part 1315), which states that interest will accrue from the day after the payment due date, until the\npayment date. The payment due date is deemed the later of the date the invoice is received and stamped,\nor seven days after the goods are received or services delivered.\n\nCause:\n\nThere was a lack of policy in place to provide proper guidance on appropriate invoice dates for the\npurpose of late interest calculation according to the Prompt Payment Act.\n\nEffect or Potential Effect:\n\nInterest expenses related to late payment could have been understated by approximately $12,000 as of\nSeptember 30, 2013. Ex-Im Bank implemented a plan to ensure proper time stamp and consistent invoice\nreceived dates as of September 30, 2013.\n\nRecommendation:\n\nWe recommend that Ex-Im Bank institutes specific policies for the application of proper invoice date\naccording to the Prompt Payment Act to ensure adherence to these policies. Ex-Im Bank should\nimplement proper controls to ensure the correct invoice dates are entered.\n\nManagement Response:\n\nManagement agrees with the recommendation. Management has installed two new stamping machines to\ncounter equipment failure and has implemented a new process that requires staff to date-stamp the\ninvoices that are processed. This will ensure that invoices have the proper date in accordance with the\nPrompt Payment Act. In addition, the Office of Contracting (OCS) and the Office of Administrative\nServices (OAS) supplied additional training to staff members on the importance of date-stamping\nincoming invoices in accordance with the Prompt Payment Act.\n\n\n\n\n                                                    - ,., \xc2\xad\n                                                      .)\n\x0cInaccurate Subsidy Re-estimate Journal Entries\n\nCondition:\n\nDuring our testing of the subsidy re-estimate journal entry, the following errors were noted :\n\n1) \t Ex-Im Bank identified that the FY 2013 subsidy re-estimate journal entry was incotTectly recorded .\n     The guarantee provision was incorrectly recorded as insurance provision.\n\n2) \t We identified that the subsidies for guarantee and insurance transactions were correctly calculated.\n     However, the subsidies for the coho1t year 2012 for insurance and guarantee transactions were not\n     included in the subsidy re-estimate journal entry and therefore were not recorded.\n\nEx-Im Bank recorded correcting journal entries to correct the errors as of September 30, 2013.\n\nCriteria:\n\nThe subsidy re-estimate journal entry should be recorded correctly according to accurate information and\ncalculations according to the Expected Loss Model developed by Ex-Im Bank.\n\nCause:\n\nThe subsidy re-estimate spreadsheet used to calculate the total subsidies had an incorrect formula which\nwas not detected upon review. Additionally, the subsidy for guarantees was inconectly recorded as\nsubsidy for insurance due to human error.\n\nEffect or Potential Effect:\n\nThe downward and upward subsidies were understated by approximately $80 and $10 million,\nrespectively at September 30, 2013. Ineffective review of the journal entries prior to posting could\npotentially cause an incorrect subsidy re-estimate journal entty and therefore an inaccurate subsidy\nrecorded in the financial statements. The errors were corrected by Exlm Bank as of September 3 0, 2013.\n\nRecommendation:\n\nWe recommend that a more comprehensive review of the subsidy re-estimate spreadsheet, as well as the\njournal entty, be performed to detect any material misstatements in a timely manner.\n\nManagement Response:\n\nManagement agrees with the recommendation. The Office of the Chief Financial Officer is implementing\na comprehensive review of the inputs and outputs of the calculation. Management continues to provide\ntraining to staff on the importance of a detailed review process that is conducted in a timely manner.\n\nIncorrect Interest Rate used in the Calculation of the Subsidy Re-estimate\n\nCondition:\n\nDuring our testing of the FY 2013 subsidy re-estimate, we identified that incotTect interest rates for\nmedium term and long tenn guarantees were utilized in the subsidy macro input table.\n\n\n\n\n                                                    -4\xc2\xad\n\x0cCriteria:\n\nThe subsidy re-estimate calculation macro should use the correct interest rate in order to calculate the\nsubsidy accurately.\n\nCause:\n\nDue to deficient review process, the interest rates for medium term and long term guarantees were\nincorrectly entered into the input table by the financial analyst. The incorrect rate were not identified in a\ntimely manner.\n\nEffect or Potential Effect:\n\nThe total provision was misstated by approximately $22 million. Ex-Im Bank made corrections to the\ninterest rate in the macro input table and recalculated the subsidy for FY 2013. Accordingly, Ex-Im Bank\nrecorded an adjustment to accurately reflect the provisions at September 30, 2013.\n\nRecommendation:\n\nWe recommend that Ex-Im Bank perfonn a more comprehensive review of the inputs used in the macro\nprior to performing the calculation of the subsidy re-estimate.\n\nManagement Response:\n\nManagement agrees with the recommendation. The Office of the Chief Financial Officer is implementing\na comprehensive review ofthe inputs and outputs of the calculation. Management continues to provide\ntraining to staff on the importance of a detailed review process that is conducted in a timely manner.\n\nInaccurate Rescheduled Loans Balance\n\nCondition:\n\nWe identified a rescheduled loan which was recorded inaccurately in the LGA. The rescheduled loan\nidentified by us maintained an outstanding balance of approximately $983,000 when it should be written\noff by Ex-Im Bank.\n\nCriteria:\n\nOnly rescheduled loans for which future cash flows are expected should be included in the records of Ex\xc2\xad\nIm Bank.\n\nCause:\n\nDue to insufficient review, a journal entry to write-off a rescheduled loan was recorded inaccurately.\n\nEffect or Potential Effect:\n\nThe rescheduled loan balance was overstated by approximately $983,000. This error was determined\nimmaterial by Ex-Im Bank and no correction was made. We concurred with Ex-Im Bank\'s conclusion.\n\n\n\n\n                                                     -5\xc2\xad\n\x0cRecommendation:\n\nWe recommend that controls be implemented to ensure that the proper journal entry is recorded to write\noff the rescheduled loan.\n\nManagement Response:\n\nManagement agrees with the recommendation. In an effo11 to ensure accuracy in the write off process,\nManagement will implement a control of cross checking the Rescheduled Loan (R-Loan) rep011 on a\nperiodic basis against known qualitative data and c01Tesponding information. Management will continue\nto monitor the report and provide additional training if needed.\n\nInappropriate Evidence or Inappropriate Assignment of Transactions for Risk Rating\n\nCondition:\n\nDuring our testing of risk rating, we identified inaccurate assignment of transactions within the Portfolio\nMonitoring and Control Group\'s (PMCG) non-core transactions and sh011-tenn single buyer insurance\ntransactions.\n\nCriteria:\n\nBCL ratings should be re-evaluated annually according to the FY 2013 Restimate Process. BCL ratings\nshould accurately reflect the underlying risk of a transaction/bon-ower.\n\nCause:\n\nDue to miscommunication among monitoring division, the following were noted:\n\n1) \t Five short-term single buyer insurance were evaluated as private instead of non-sovereign\n     transactions.\n\n2) \t Due to miscommunication, one medium term guarantee was not assigned to an appropriate\n     monitoring division. Therefore, the BCL for the bon-ower was not properly evaluated.\n\nEffect or Potential Effect:\n\nAllocating an inaccurate BCL rating to a bon-ower could result in a misstatement in the subsidy re\xc2\xad\nestimate.Ex-Im Bank reviewed the transactions identified by D&T and concluded that the BCL rating\nwas appropriate despite the incon-ect allocation.\n\nRecommendation:\n\nWe recommend as a part of the annual risk rating process Ex-Im Bank perform a review of transactions in\nthe portfolio to ensure that they are assigned to appropriate monitoring divisions.\n\nManagement Response:\n\nManagement agrees with the recommendation. Management is conducting a comprehensive review of\nwork-flow between the various divisions to ensure that credits are assigned to the appropriate monitoring\ndivisions. Every transaction or credit is unique and may not fit into a standardize<) mold, but management\nwill continue to work to improve the process in place.\n\n\n                                                    -6\xc2\xad\n\x0cUser Access Rights Review\n\nCondition:\n\nWe inspected the documentation for the January 2013 annual access rights review and noted that one\n(1) user requested to be removed from access by management maintained access to EXIM Online as of\nAugust 1, 2013. The one user noted was from a sample of five selections selected for our testing.\n\nCriteria:\n\nManagement\'s requests for access changes related to the annual access reviews at Ex-Im should be\naddressed in a timely manner, and in the specific event access removals are requested, they should be\nrevoked as soon as possible.\n\nCause:\n\nDue to a human en-or, and insufficient review, the individual responsible for making access change did\nnot remove a user\'s access after his review of the change request.\n\nEffect or Potential Effect:\n\nIf access privileges are not established effectively, data integrity, confidentiality, and availability may be\ncompromised through intentional or unintentional errors. Without effective and timely reviews, there will\nbe no assurance that user access privileges remain appropriate, or that logical security is effective.\nAdditionally, potential threats and misuse may not be timely noted. After this exception was identified,\nmanagement reviewed and removed the user\'s access (within EXIM Online) as evidenced through testing\non September 5, 2013 and September 19, 2013.\n\nRecommendation:\n\nWhile Ex-Im Bank remediated the user access exception, we recommend that Ex-Im Bank continue to\nfocus on the execution of access changes in relation to the annual access review and perform a\nconfinnation process after the annual access review to ensure that all required changes were completed\naccording to the access request. This control assists in the overall effectiveness of Ex-Im Bank\'s process\nfor user account administration.\n\nManagement Response:\n\nManagement agrees with the recommendation. The confirmation process after the annual Access Control\nReview (ACR) has been completed and is being executed during the ongoing ACR cycle for FY14 (now\nunderway since November 2013). Management has determined that there is nothing intrinsic in the failure\nto modify the account identified in the finding that exposed the Bank to any additional security risk that\naffects the confidentiality, integrity, and availability of the Bank\'s critical information. Management will\ncontinue to monitor and provide additional controls if needed.\n\n\n\n\n                                                     -7\xc2\xad\n\x0cSECTION II -     OTHER MATTERS\n\nRefer to Appendix B below for the status of the FY 2012 management letter comments.\n\nSECTION Ill -     DEFINITIONS\n\nThe definitions of a deficiency is as follows:\n\nA deficiency in internal control over financial repo1iing exists when the design or operation of a control\ndoes not allow management or employees, in the nonnal course of perfonning their assigned functions, to\nprevent, or detect and correct misstatements on a timely basis. A deficiency in design exists when (a) a\ncontrol necessary to meet the control objective is missing or (b) an existing control is not properly\ndesigned so that, even if the control operates as designed, the control objective would not be met. A\ndeficiency in operation exists when (a) a properly designed control does not operate as designed, or\n(b) the person performing the control does not possess the necessary authority or competence to perform\nthe control effectively.\n\n                                                 ******\n\n\n\n\n                                                   -8\xc2\xad\n\x0c                                                                                        APPENDIX B\n\nThe table below provides the status of the FY 2012 management letter comments:\n\nControl Deficiencies:\n\n\n                                                        Elevated to\n                                                         Material      Still Relevant   Adequately\nNo.               Prior Year Comments                   Weakness       and Repeated      Resolved\n\n\n 1.   Budget Cost Level (BCL) ratings relied on                                             x\n      inaccurate information\n\n\n2.    Inconsistency in BCL rating between Loans                                             x\n      and Guarantees Accounting System (LGA) and\n      the Asset Management System (AMS)\n\n\n3.    Inaccurate repayment schedule in the LGA                                              x\n      System\n\n\n4.    Inaccurate information used for subsidy                                               x\n      calculation \xc2\xad cash flow worksheet\n\n\n5.    Incorrect Accrual Status of Rescheduled Loans                                         x\n      written off in prior years\n\n\n6.    Incorrect Pre-Credit Reform Allowance for                                             x\n      Loan Loss journal entry\n\n\n7.    Incorrect Formula used in the Allowance                                               x\n      calculation\n\n\n8.    Retention of Daily Security Monitoring report                                         x\n\n\n\n\n                                                  -9\xc2\xad\n\x0cOffice of Inspector General\nExport-Import Bank of the United States\n811 Vermont Avenue, NW\nWashington, DC 20571\n202-565-3908\nwww.exim.gov/oig\n\x0c'